2.1.1.2 Internal Architecture
The following figure depicts the client architecture of NAP. The data link and NAP protocols are as follows:
NAP protocols:
Protocol Bindings for SoH [TNC-IF-TNCCSPBSoH]
Windows Security Health Agent (WSHA) and Windows Security Health Validator (WSHV) Protocol [MS-WSH]
Authentication Protocol Domain Support [MS-APDS] with NTLM pass-through [RFC4559]
Data link protocols:
Protected Extensible Authentication Protocol (PEAP) [MS-PEAP]
PPP EAP TLS Authentication Protocol [RFC2716]
IEEE Standard for Local and Metropolitan Area Networks - Port-Based Network Access Control [IEEE802.1X]
Dynamic Host Configuration Protocol (DHCP) Extensions for Network Access Protection (NAP) [MS-DHCPN]
Health Certificate Enrollment Protocol [MS-HCEP]
Remote Desktop Gateway Server Protocol [MS-TSGU]

Figure 13: White box diagram of client architecture for multiple scenarios/protocols
In the client, there are five parallel NAP data link protocol stacks that support the five scenarios for NAP (section 1.2), and across these stacks many of the components are shared. For example, PEAP [MS-PEAP] is used for the 802.1x scenarios and also for the VPN scenario. Note that stacks can execute simultaneously as the client can have multiple network interfaces, or the network administrator can configure a layered approach to NAP. The latter situation can occur when NAP is used for wired Ethernet access using the IEEE 802.1x stack and fine-grained, end-to-end IPsec NAP enforcement for all client/server communication being used with the IPsec stack.
An NPS is a RADIUS server that has been extended for NAP. As such, NAP-related RADIUS attributes [MS-RNAP] from a network access RADIUS request are passed to a NAP policy evaluation engine that processes the SoH request. In the SoH request, there can be sections from several SHAs on the client. The corresponding SHV for each equivalent SHA is invoked to process its section of the SoH request and provides a portion of the SoH response (SoHR). The NAP policy evaluation engine uses several external services, such as authentication services and Active Directory services. NAP-related policies can be stored in Active Directory or in files.
The following figure depicts the server-side NAP architecture for an NPS.

Figure 14: Server-side NAP architecture for NPS